Developers of software generally seek to adhere to the “Principle of Least Privilege,” which states that a program should run with the least amount of privileges necessary to perform the task at hand, i.e., the task to be accomplished by the program. Exemplary privileges that may be required by a program include file operations (e.g., open, close, read, and write operations), registry operations, and communications operations. Observance of the Principle of Least Privilege by program developers and application installers helps to minimize the amount of damage that can be caused by errors in the program, by possible security breaches, or by attacks that exploit the privileges of the program.
While developers recognize a need to adhere to this principle, it is often difficult to translate this principle into practice. For example, a program typically has some level of unnecessary privilege due to the fact that (1) if a program has too little privilege the program will fail, and (2) a program having too much privilege typically goes unnoticed. Moreover, it is often difficult for a developer to adequately assess the level of privilege required by a program prior to the program's release and deployment. Further, some developers may violate the Principle of Least Privilege by providing more than the least privilege necessary in order to ease implementation and aid debugging and testing. In doing so, developers may avoid time and cost of generating patches and updates to correct for an otherwise insufficient granting of privileges. However, in violating the Principles of Least Privileges, the developers intentionally or inadvertently grant excess privileges that may expose the organization to security risks. Further, during program installation, installers typically do not know what privilege the program needs in order to execute and may install the program with more privilege than it needs.